IT Risk Posture Discovery
Case Study

Background

The client is a large organization operating within the energy and critical infrastructure sector, supporting complex business and operational functions through a centralized IT environment. Its technology landscape includes enterprise applications, data centre operations, network infrastructure, and shared IT services that are essential to day-to-day operations and business continuity.

Given the critical nature of its operations and increasing reliance on digital systems, the organization sought to gain a clearer understanding of its overall IT risk posture. In particular, leadership required visibility into how effectively existing controls, processes, and governance mechanisms were managing cybersecurity and IT-related risks across the organization.

To address this need, the organization engaged Real Secure IT to perform an IT Risk Posture Discovery Assessment aligned with ISO/IEC 27001:2022, NIST Cybersecurity Framework (CSF) 2.0, and the National Cybersecurity Authority’s Essential Cybersecurity Controls (NCA ECC-2). The engagement was designed to provide a structured, organization-wide view of IT risks across people, process, and technology domains, forming the foundation for informed risk prioritization and improvement planning.

Challenge

Like many organizations operating critical systems, the client had invested in core security controls and monitoring capabilities. However, these efforts were largely focused on maintaining day-to-day operations rather than providing a clear, end-to-end view of where the organization was most exposed to risk.

As the IT environment continued to grow in complexity (spanning enterprise applications, data centre infrastructure, network services, and shared platforms), leadership recognized that individual controls and policies alone were no longer sufficient to understand the true risk landscape. While certain areas had been reviewed in isolation, there was no structured assessment that examined how people, processes, and technology interacted across departments.

In addition, the organization operates in a sector where operational disruption, data loss, or prolonged system unavailability could have serious business and reputational consequences. Without a clear understanding of which risks were most critical, it was difficult to prioritize remediation efforts, justify security investments, or ensure alignment with regulatory expectations.

The challenge, therefore, was not simply identifying vulnerabilities, but gaining a holistic, risk-based view of the IT environment. This would highlight weaknesses, expose hidden dependencies, and enable informed decisions to strengthen the organization’s overall security posture.

Engagement Objectives

The primary objective of this engagement was to provide the organization with a clear, accurate, and holistic view of its current IT risk posture across critical systems, processes, and teams. Rather than assessing individual controls in isolation, the engagement focused on understanding how people, processes, and technology collectively contribute to managing risk across the broader IT environment.

Specifically, the organization sought to:

• Identify and analyse IT and cybersecurity risks across people, process, and technology domains
• Evaluate the effectiveness of existing controls and governance mechanisms
• Assess inherent and residual risks using a structured and consistent risk assessment approach
• Prioritize risks based on their potential business impact and likelihood
• Align the organization’s risk posture with recognized international standards and regulatory requirements such as ISO/IEC 27001:2022, NIST CSF 2.0, and NCA ECC-2
• Define clear and actionable risk treatment measures to reduce residual risk

By achieving these objectives, the engagement enabled leadership and technical teams to gain actionable insight into the organization’s risk landscape, supporting informed decision-making, targeted remediation planning, and the strengthening of overall operational resilience against cyber and IT-related threats.

Engagement Value

The IT Risk Posture Discovery Assessment provided the organization with a structured evaluation of its IT and cybersecurity risk landscape, examining how people, processes, and technology interact across critical systems and departments. Rather than focusing on individual technical issues in isolation, the assessment reviewed existing controls, processes, and governance practices to understand how effectively risks are identified, managed, and prioritized across the organization as a whole.

Conducting this assessment delivered several key benefits:

• Provided clear visibility into risks affecting critical systems, processes, and operations by identifying weaknesses that could realistically lead to data loss, operational disruption, or reduced service availability.
• Enabled effective prioritization of remediation efforts by assessing both inherent and residual risk levels, allowing high-impact and high-likelihood risks to be addressed first while lower-risk issues were planned appropriately.
• Reduced uncertainty in risk management by translating technical and process gaps into well-defined risk scenarios, supporting evidence-based decision-making rather than assumptions.
• Improved alignment between cybersecurity risks and business objectives by clearly demonstrating how control gaps and process weaknesses could impact operations, reputation, and regulatory obligations.
• Strengthened regulatory and standards readiness by assessing existing controls against ISO/IEC 27001:2022, NIST CSF 2.0, and NCA ECC-2, and identifying areas requiring improvement to enhance governance and compliance maturity.

By conducting this assessment, the organization was able to adopt a more proactive and informed risk-driven approach to managing IT and cybersecurity risks, strengthening its ability to prevent incidents, respond effectively when issues arise, and maintain long-term operational resilience.

Scope of Work

The engagement consisted of a comprehensive IT Risk Posture Discovery Assessment, designed to provide a detailed understanding of the organization’s IT risk exposure across critical systems, applications, and operational environments. The assessment aimed to cover all major technology areas that support day-to-day operations and business continuity, ensuring a complete view of potential risks.

The following areas were included in the scope of the assessment:

• IT Applications: Core enterprise applications that support business processes and operational workflows. This included evaluating application-level configurations, security controls, and access management frameworks.
• SAP Authorization and SAP Applications: Systems managing user privileges, segregation of duties, and application-level access controls, ensuring that sensitive business processes and data are properly protected.
• Data Centre Infrastructure: Physical and virtual servers, storage systems, and associated data centre operations, focusing on system configurations, resiliency, and protection against unauthorized access or operational disruption.
• Network Environment: Network architecture, connectivity, and infrastructure components critical to the organization’s operations, including evaluation of potential vulnerabilities in internal and external communications.
• Office Automation Systems: IT-supported productivity and collaboration tools used across the organization, which are essential for daily operations and employee workflows.
• IT Helpdesk Operations: Systems and platforms supporting incident management, user support, and reporting mechanisms, ensuring IT-related issues are efficiently tracked and addressed.
• IT Communications Systems: Email, messaging, and other communication channels, including assessment of logging, monitoring, and security controls.
• Employee Access and Authorization Systems: Identity and access management platforms, user provisioning processes, and privilege management systems that regulate employee access to critical systems and data.
• Backup and Recovery Systems: Procedures, technologies, and processes for ensuring data backup, recovery, and operational resilience in case of incidents or disruptions.

This clearly defined scope ensured that the assessment covered all key technical systems and operational environments that could affect the organization’s cybersecurity posture and business continuity. By focusing on these critical areas, the engagement provided a transparent and comprehensive understanding of where risks exist, laying the foundation for effective risk treatment and informed decision-making.

Methodology

In this assessment, we worked closely with the organization to evaluate its IT and cybersecurity risk posture across governance, operational processes, and technology controls. We assessed how IT risks are identified, analysed, and managed within the organization’s operating environment, taking into account business objectives, regulatory requirements, and existing risk management practices.

Throughout the engagement, we engaged directly with key stakeholders, reviewed internal documentation and technical evidence, and assessed controls across the People, Process, and Technology domains. This allowed us to develop a clear, evidence-based view of the organization’s risk exposure and present findings that reflect its actual operating environment and risk priorities.

The IT Risk Posture Discovery engagement was delivered through the following phases:

Phase 1 –Information Gathering

During Phase 1 of the engagement, we conducted comprehensive information-gathering activities to develop a clear understanding of the organization’s business context, IT environment, and governance framework. These activities ensured that subsequent risk identification and analysis were grounded in actual operational practices, business priorities, and regulatory expectations.

Key Activities

1. Engagement Framework Definition

• Confirmed the scope of departments, systems, and IT domains included in the assessment.
• Conducted meetings with key stakeholders, including heads from the following departments across IT, security, and business units to understand existing processes, operational dependencies, and risk priorities:

• • • Information Security Group
    • Information Technology Application
    • Network
    • Data Centre
    • SAP Application
    • SAP Authorization
    • Enterprise Risk Management
    • Employee Relations Department
    • Office Automation
    • Information Technology Helpdesk
    • Information Technology Communications

• Defined assessment objectives, assumptions, and constraints.
• Established communication, validation, and escalation mechanisms.

2. Business and IT Environment Understanding

• Understood critical business services and their supporting IT systems.
• Identified key information assets and artifacts to provide a comprehensive view of IT risk exposure. The artifacts analysed for this assessment included:
  • Data centre visitor access logs
  • IT Service Continuity Disaster Recovery Plan
  • The organization’s Data Centre Policies and Procedures
  • Quarterly review results of the Data Centre Access Logs 3 of 4
  • Recovery Report
  • Code of Business Conduct
  • Intune Dashboard
  • Microsoft Defender Screenshot
  • Device Compliant
  • Employee Contract
  • ISG Policies and Procedures
  • Cybersecurity Risk Management Policy and Procedure
  • Network Diagram
  • Hospital Management Information System access review mail – yearly
  • Patch Management Approval Mail
  • Hardware Asset Inventory
  • Clearance Form
  • Change Request tickets in BMC Remedy
  • NCA Regulatory Portal
  • Cybersecurity Plan till 2030
  • Vulnerability and Risk Assessment Reports of new onboarding softwares and applications – sample of BMC Remedy
  • Communication mail of ISG Policies and Procedures
  • Mail trail of SAP access reconciliation with departments
• Reviewed organizational risk appetite and tolerance where defined.

3. Documentation Collection and Review

• Collected IT policies, standards, procedures, and governance documents.
• Reviewed existing risk registers, audits, and prior assessments.
• Reviewed system inventories, architecture diagrams, and operational documentation.
• Identified gaps, inconsistencies, or outdated documentation requiring clarification.

Phase 2 –Risk Identification

In Phase 2, we focused on identifying IT-related risks based on the information gathered and evidence reviewed. We analysed control gaps, weaknesses, and inconsistencies across technology, processes, and governance structures to determine what could go wrong, why it could occur, and which assets or business processes would be affected. Each identified risk was clearly defined and documented for further analysis.

1. Control Gap Identification

• Identified missing, partially implemented, or inconsistently applied IT controls.
• Reviewed deviations from ISO 27001, NIST CSF, and NCA ECC requirements.
• Identified areas where controls exist informally without documented procedures.

2. Threat and Vulnerability Identification

• Identified relevant threat scenarios affecting applications, networks, data centers, and users.
• Reviewed vulnerabilities related to access management, network security, data protection, and monitoring.
• Considered insider threats, external attacks, operational failures, and third-party risks.

3. Risk Definition and Documentation

• Developed clear risk statements describing cause, event, and impact.
• Identified impacted departments, systems, and business processes.
• Documented risks in a structured risk register for assessment and tracking.

Phase 3 – Risk Analysis

During Phase 3, we analysed identified risks in detail to assess their likelihood of occurrence and potential business impact. We evaluated existing control maturity, system exposure, operational practices, and stakeholder input to ensure a realistic assessment of risk scenarios. This analysis provided a clear understanding of how risks could materialize and the extent of their impact on operations, data, and regulatory compliance.

The activities below reflect the assessment patterns performed.

1. Likelihood Analysis

• Analysed how frequently threat scenarios could realistically occur based on current exposure, threat landscape, and historical incidents.
• Considered weaknesses in access control, monitoring, patching, and operational discipline that increase probability.
• Factored in system accessibility, user behaviour, third-party access, and automation dependencies.
• Validated likelihood assumptions through stakeholder input and supporting evidence.

2. Impact Analysis

• Assessed potential impact on business operations, service availability, and regulatory compliance.
• Evaluated data confidentiality, integrity, and availability impacts for each risk scenario.
• Considered financial loss, operational downtime, reputational damage, and regulatory penalties.
• Identified cross-departmental impacts where risks affect shared platforms or services.

3. Inherent Risk Rating

• Combined likelihood and impact to determine inherent risk levels before controls are considered.
• Identified risks that could cause enterprise-wide disruption versus localized operational impact.
• Clearly documented assumptions and rationale supporting each inherent risk rating.

Tools Used

• GRC / Risk Management Platform (ServiceNow IRM or RSA Archer) – Used to document risks, assess inherent and residual risk, evaluate control effectiveness, assign ownership, and track risk treatment actions.
• SIEM Platform (Splunk, IBM QRadar, or Microsoft Sentinel) – Used to validate logging coverage, monitoring effectiveness, and detection capability as input to likelihood and impact assessment.
• Endpoint Detection and Response Platform (Microsoft Defender for Endpoint or CrowdStrike Falcon) – Used to assess endpoint visibility, response capability, and operational maturity contributing to risk evaluation.
• Enterprise Vulnerability Management (VAM) – Used to review vulnerability exposure, patching effectiveness, and remediation trends across internal systems as input to likelihood and residual risk assessment.
• Identity and Access Management Platform (Active Directory / Entra ID) – Used to assess access control structure, privilege allocation, and authentication practices contributing to access-related risks.

Phase 4 – Risk Evaluation

In Phase 4, we evaluated the effectiveness of existing technical, administrative, and operational controls in mitigating identified risks. We reviewed supporting evidence such as system configurations, logs, and procedures to validate control operation. Based on this evaluation, we then calculated residual risk ratings to identify risks that remained above acceptable thresholds and required remediation or further management attention.

1. Existing Control Evaluation

• Reviewed technical, administrative, and operational controls currently mitigating each risk.
• Assessed whether controls are fully implemented, partially implemented, or ineffective.
• Identified control gaps caused by lack of enforcement, documentation, or ownership.
• Validated control operation through evidence such as logs, configurations, and procedures.

2. Residual Risk Calculation

• Re-evaluated likelihood and impact after considering control effectiveness.
• Assigned residual risk ratings using the agreed risk rating scale.
• Identified risks that remain above the organization’s risk tolerance.
• Highlighted risks where controls exist but are not operating as intended.

3. Risk Prioritization

• Ranked risks based on residual severity and business criticality.
• Identified risks requiring immediate remediation versus strategic improvement.
• Supported management decision-making by clearly distinguishing high-priority risks.

Phase 5 – Risk Treatment, Reporting & Recommendations

During the final phase of the engagement, we translated assessment results into actionable risk treatment plans and prioritized recommendations. We documented the findings in the IT Risk Posture Discovery Assessment report, ensuring risks were clearly traceable to affected systems, departments, and controls. This provided the organization with a structured and practical basis for remediation planning and informed decision-making.

1. Risk Treatment Planning

• Defined appropriate treatment strategies (mitigate, transfer, accept, or avoid).
• Recommended control improvements aligned with ISO 27001, NIST CSF, and NCA ECC-2.
• Identified technical, process, and governance actions required to reduce risk.
• Assigned clear ownership and accountability for remediation activities.

2. Reporting and Documentation

• Prepared the final IT risk posture discovery report which included:
  • Executive Summary
  • Scope and Methodology
  • Risk Register with Inherent and Residual Risk Ratings
  • Key Strengths and Controls Gaps
  • Risk Treatment Recommendations
• Ensured risks are traceable to departments, systems, and controls.

3. Recommendations

• Developed prioritized recommendations based on risk severity and implementation effort.
• Identified quick wins versus long-term control maturity improvements.
• Aligned recommendations with operational constraints and business priorities.

Report

At the conclusion of the engagement, Real Secure IT delivered a meticulous report that documented the organization’s IT and cybersecurity risk landscape in a clear, consistent, and actionable manner. The report presented both a summarized and detailed view of the assessment outcomes, allowing stakeholders to understand overall risk exposure while maintaining traceability to individual findings.

At a high level, the report provided a consolidated summary of identified risks, supported by graphical representations that illustrated the distribution of residual risk levels across the environment. These visuals enabled decision-makers to quickly identify areas of higher exposure and understand the overall balance of high, medium, and low residual risks.

The core of the report was the detailed risk register, where each identified risk was recorded in a tabular format for clarity and ease of reference. For every risk, the report documented the underlying causes, the defined risk event, potential consequences, inherent risk rating, existing preventive and mitigative controls, residual risk rating, and a corresponding risk treatment plan. This structured approach ensured consistency in analysis and provides transparency into how risk ratings were determined.

Findings were supported by assessment evidence, including documentation review, stakeholder interviews, and technical observations, ensuring that conclusions were based on verified information rather than assumptions. The report also highlighted observed strengths within the organization’s existing control environment, alongside identified weaknesses, providing a balanced insight into the organization’s current security maturity.

Recommendations were directly tied to identified risks and were presented in a practical, actionable manner, ensuring the report served not only as an assessment record but also as a roadmap for improving the organization’s IT risk posture.

Assessment Findings

The IT Risk Posture Discovery Assessment identified a total of 17 residual risks, categorized as high, medium, and low. Residual risk refers to the level of risk that remains after existing controls, policies, and mitigation measures have been applied. High-risk findings represent areas with the greatest potential to cause operational disruption, data loss, unauthorized access, or reputational damage if unmitigated. Each high-risk finding is analysed below with a detailed explanation of its cause, impact, and security implications.

High-Risk Findings

1. Privilege Access Review (Residual Risk: High)

The assessment revealed that outdated, excessive, or unnecessary user privileges are not periodically reviewed, creating a significant security exposure. Employees may retain access to systems and applications that are no longer relevant to their role, which can lead to unauthorized data access, modification, or deletion. This accumulation of excessive privileges creates an exploitable attack surface for malicious insiders or external attackers who compromise an account.

The absence of structured privilege access review processes means that the organization cannot confidently ensure that only authorized personnel have access to sensitive systems. Over time, this can result in operational disruptions, regulatory non-compliance, and reputational damage if a breach occurs using dormant privileges.

Cause:

• No automated or enforced privilege review mechanism exists; reviews are conducted inconsistently or only annually.
• Lack of centralized tracking for user privileges across all IT systems and applications.
• Privilege escalation or role changes are not consistently updated in identity management systems, leading to “permission creep” over time.

Consequences and Security Implications:

• Unauthorized Data Modification: Users with excessive privileges can alter critical business data, configurations, or application settings, potentially leading to operational disruptions.
• Insider Threat Risk: Malicious or negligent users may exploit excessive privileges to access sensitive corporate data, exfiltrate information, or compromise system integrity.
• Regulatory Non-Compliance: Failure to enforce least-privilege policies may result in violations of internal policies or regulatory requirements (ISO/IEC 27001, NCA ECC-2).
• System Misconfiguration Risk: Inconsistent privilege levels increase the likelihood of accidental misconfiguration of key applications or systems, which could lead to downtime or degraded performance.

Existing Controls:

• Annual access review of some systems is conducted.
• A Security Operations Center (SOC) exists to monitor for unauthorized activity.

Gaps:

• Reviews are infrequent and do not cover all systems.
• No automated or real-time mechanisms to enforce access controls.
• Lack of centralized privilege management prevents proactive mitigation of excessive access rights.

Recommended Remediation Strategy:

1. Implement Monthly or Quarterly Privilege Reviews: All systems and applications should undergo structured monthly or quarterly reviews of active user privileges. This ensures that access rights reflect current roles and responsibilities.
2. Deploy Privilege Access Management (PAM) Tools: A PAM solution will enforce least-privilege principles, automatically restrict unauthorized access, and maintain detailed audit logs of privilege changes.
3. Integrate Role-Based Access Controls (RBAC): Standardize access levels based on job functions to reduce the likelihood of privilege creep.
4. Establish Continuous Monitoring: SOC should continuously monitor for anomalous access patterns or privilege escalations to detect potential misuse.
5. Documentation and Policy Alignment: All privilege access policies should be clearly documented, communicated, and enforced across departments.

Impact of Remediation:

• Significantly reduces the likelihood of insider threats or accidental data modification.
• Ensures regulatory compliance and alignment with ISO/IEC 27001 and NCA ECC-2.
• Improves overall governance and accountability for access management across the organization.
• Enables faster detection and response to abnormal user activity, reducing potential operational or reputational damage.

2. Backup Compromise (Residual Risk: High)

The organization currently performs database backups online, with primary and backup systems connected simultaneously. While this allows for convenient backup management, it creates a significant vulnerability: in the event of a cyber-attack, ransomware infection, or malicious activity, both the live environment and backups could be compromised simultaneously.

This configuration introduces significant business continuity risk, as simultaneous compromise of live and backup data could halt operations, damage the organization’s reputation, and result in financial and regulatory penalties. The risk is particularly high for organizations relying on centralized IT systems supporting multiple operational functions.

Cause:

• Backup systems are not isolated from the primary environment.
• Lack of offline or air-gapped backup solutions.
• Backup procedures are primarily designed for operational convenience, not for resilience against targeted attacks.

Consequences and Security Implications:

• Total Data Loss: If a cyber attacker encrypts or deletes data on both primary and backup systems, recovery becomes impossible without external backup copies.
• Operational Disruption: Critical business functions relying on database availability would be unable to operate, resulting in downtime and potential revenue loss.
• Regulatory and Legal Exposure: Loss of sensitive or regulated data could result in non-compliance penalties and legal liability.
• Business Continuity Risk: Without recoverable backups, disaster recovery and business continuity plans are ineffective.

Existing Controls:

• Periodic Vulnerability Assessment and Penetration Testing (VAPT) is conducted on server segments.
• SOC monitoring is in place to detect malicious activity.

Gaps:

• Backup systems are online and not physically or logically isolated.
• No offline or air-gapped backups exist for critical databases.
• Procedures for secure storage and access to backups are inadequate.

Recommended Remediation Strategy:

1. Implement Air-Gapped Backups: Critical databases should be copied to offline storage devices or physically isolated servers, ensuring they cannot be accessed over the network.
2. Encrypt All Backup Data: Both online and offline backups should be encrypted to prevent unauthorized access.
3. Regular Backup Testing: Conduct periodic restoration tests to ensure data integrity and confirm that backups are functional.
4. Define Retention Policies: Ensure that backups are retained for a sufficient period to meet operational and regulatory requirements.
5. Document Backup Procedures: Clear, auditable procedures must be established and followed to prevent accidental exposure or loss of backups.

Impact of Remediation:

• Dramatically reduces the risk of complete data loss in the event of a cyber-attack.
• Ensures business continuity and operational resilience.
• Enhances compliance with regulatory requirements and industry best practices.
• Provides confidence to management and stakeholders that critical systems are protected against high-impact threats.

3. Application Inventory (Residual Risk: High)

The assessment revealed that the organization does not maintain a centralized inventory of applications and software. Without this inventory, there is no clear visibility over what applications are in use, who owns them, or their security posture. Critical applications may be outdated, unpatched, or unmanaged.

This gap creates a significant operational and security risk, as critical systems could be left exposed to exploitation. Lack of ownership and accountability over applications also hinders maintenance, patching, and compliance, reducing confidence in the organization’s cybersecurity posture.

Cause:

• No formal process exists to track applications across the organization.
• Ownership and responsibility for applications are fragmented or undefined.
• There is limited oversight of application lifecycle management, including updates, patches, and decommissioning.

Consequences and Security Implications:

• Increased Attack Surface: Unmanaged applications may contain known vulnerabilities that attackers could exploit.
• Unauthorized Access or Data Leakage: Without clear ownership and controls, sensitive data may reside in unmonitored applications.
• Regulatory Compliance Risk: Lack of inventory could lead to non-compliance with IT governance and cybersecurity standards.
• Operational Risk: Unknown or unmonitored applications may conflict with IT policies, leading to instability or misconfiguration of critical systems.

Existing Controls:

• Currently, there are no preventive or mitigative controls in place for application inventory management.

Gaps:

• No centralized inventory or classification of criticality exists.
• Lack of ownership and tracking for software updates, licensing, and security responsibilities.
• No integration of application inventory with monitoring or governance systems.

Recommended Remediation Strategy:

1. Develop a Centralized Application Inventory: Maintain a comprehensive list of all software, including system applications, business applications, and third-party tools.
2. Assign Ownership: Designate responsible individuals or teams for each application to ensure accountability.
3. Classify Applications by Criticality: Identify high-risk or business-critical applications requiring higher levels of monitoring and controls.
4. Integrate Inventory with Governance Processes: Link application records with patch management, vulnerability management, and access control processes.
5. Establish Update and Review Processes: Conduct periodic reviews to ensure the inventory remains accurate and up to date.

Impact of Remediation:

• Reduces the likelihood of exploitable vulnerabilities going unnoticed.
• Enhances compliance with ISO/IEC 27001, NCA ECC-2, and internal IT policies.
• Provides a foundation for effective risk management, monitoring, and lifecycle control of critical applications.
• Improves operational stability by eliminating shadow IT and unmonitored applications.

4. Application User Logs (Residual Risk: High)

Critical application user and event logs are not integrated with the Security Information and Event Management (SIEM) system, limiting the ability to monitor security-relevant events across systems. Without centralized log aggregation, anomalies such as failed logins, privilege escalations, and unusual data access patterns may go undetected, reducing the organization’s ability to detect and respond to threats in real time.

This lack of integration increases operational and security risk, as attacks or misconfigurations may persist undetected, potentially leading to unauthorized access, data leakage, or regulatory non-compliance. It also creates inefficiency in the SOC, which must manually correlate events across multiple sources.

Cause:

• Logging exists at the application level, but ingestion into SIEM is incomplete or missing.
• No standardized process to ensure all relevant logs are captured and analysed.
• Limited awareness of the security implications of missing centralized logging.

Consequences and Security Implications:

• Undetected Malicious Activity: Unauthorized access, privilege escalation, or unusual activity may go unnoticed.
• Delayed Incident Response: Without centralized visibility, the SOC may take longer to detect and respond to threats, increasing potential impact.
• Forensic Challenges: In the event of a breach, incomplete logs limit the ability to perform investigations, determine root cause, and implement effective remediation.
• Regulatory Risk: Inability to maintain auditable activity logs may breach compliance requirements for critical data and systems.

Existing Controls:

• Some monitoring exists at the local system level, but integration with SIEM is partial or absent.

Gaps:

• No centralized or consistent approach to log collection, normalization, or alerting.
• Critical applications lack logging of sensitive or security-relevant events.
• SOC cannot reliably detect anomalous behaviours across the application landscape.

Recommended Remediation Strategy:

1. Integrate Application Logs into SIEM: Ensure that all critical applications forward relevant logs to the SIEM for centralized monitoring.
2. Define Logging Requirements: Identify key events to be logged, including failed logins, privilege changes, and configuration modifications.
3. Enable Real-Time Alerting: Configure SIEM to generate alerts for suspicious activity or high-risk events.
4. Conduct Regular Review and Tuning: Periodically review logs and alerts to optimize detection and reduce false positives.
5. Maintain Historical Log Data: Ensure logs are retained securely for sufficient periods to support compliance and forensic investigation.

Impact of Remediation:

• Provides real-time visibility into critical systems, enabling faster detection and response to incidents.
• Strengthens SOC capabilities and reduces potential operational or security impact.
• Supports forensic investigations and compliance reporting in case of breaches.
• Enhances overall cybersecurity posture by proactively identifying and mitigating risks.

5. Business Impact Analysis (Residual Risk: High)

The organization has not conducted a formal Business Impact Analysis (BIA) for its critical applications, systems, and processes. A BIA is essential for understanding the potential consequences of IT disruptions on business operations, including downtime, financial loss, regulatory penalties, and reputational damage.

Without a BIA, the organization cannot prioritize recovery efforts effectively or define realistic Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each critical system. This lack of prioritization creates significant risk: in the event of a cyber incident, natural disaster, or operational failure, recovery efforts may focus on non-critical systems, leaving high-priority functions unprotected and exacerbating operational downtime and financial loss.

Additionally, a missing BIA limits the organization’s ability to align IT disaster recovery plans with actual business needs, resulting in inefficient resource allocation and incomplete incident response strategies. Regulatory expectations in critical infrastructure sectors often require documented BIA as part of operational resilience planning, so this gap also represents compliance exposure.

Cause:

• No structured process exists to identify and prioritize business-critical systems and processes.
• Recovery priorities are determined ad hoc, based on assumptions rather than formal analysis.
• Lack of coordination between business units and IT regarding dependencies and criticality of systems.

Consequences and Security Implications:

• Extended Downtime: During an incident, critical services may not be restored promptly, leading to operational disruption.
• Reputational Damage: Inability to restore key business functions quickly can damage trust with clients, partners, or regulators.
• Financial Loss: Misalignment of recovery priorities can result in delayed revenue-generating activities.
• Regulatory Non-Compliance: Failure to have documented recovery priorities may violate internal or external continuity standards.

Existing Controls:

• Some ad hoc recovery procedures exist, but they are not aligned with business-critical priorities.

Gaps:

• No formal documentation of recovery objectives (RPO/RTO).
• Lack of identification of interdependencies between systems, applications, and business processes.
• Recovery efforts may focus on non-critical systems while critical functions remain at risk.

Recommended Remediation Strategy:

1. Conduct a Comprehensive BIA: Identify all critical business functions, their supporting applications, and dependencies.
2. Define Recovery Objectives: Establish RPOs and RTOs for each critical system and function.
3. Align Disaster Recovery Plans: Ensure incident response and recovery strategies prioritize the most critical systems first.
4. Regularly Update BIA: Review and update BIA annually or after major changes in business operations or IT infrastructure.
5. Document and Communicate Results: Ensure leadership and operational teams are aware of priorities and recovery expectations.

Impact of Remediation:

• Ensures fast, targeted recovery of mission-critical functions during incidents.
• Reduces operational, financial, and reputational risk in case of disruptions.
• Supports evidence-based continuity planning and compliance with regulatory and industry standards.

6. Background Verification (Residual Risk: High)

The organization currently does not conduct formal background or criminal record checks for employees prior to onboarding. This gap exposes the organization to potential insider threats, including malicious insiders who could deliberately leak confidential information, manipulate sensitive systems, or engage in fraudulent activity. Employees with access to critical systems, data centres, and business-critical applications without proper vetting significantly increase the risk of data compromise and operational disruption.

The absence of verification also creates reputational and regulatory risk, as some industries and clients may expect verified staffing for roles handling sensitive information. Without these checks, leadership lacks assurance that personnel accessing sensitive information are trustworthy, increasing potential liability.

Cause:

• No formalized background verification process in HR policies.
• Limited screening of employees prior to granting access to critical systems.
• Awareness gaps regarding insider threat risks.

Consequences and Security Implications:

• Insider Threat Risk: Malicious employees may leak sensitive information, tamper with critical systems, or commit fraud.
• Data Loss and Reputation Risk: Insider incidents could result in financial loss and significant reputational damage.
• Regulatory Non-Compliance: For sectors handling sensitive data, failure to perform checks may breach internal policies or external regulations.

Existing Controls:

• No preventive or mitigative controls implemented for background verification.

Gaps:

• No standardized HR screening process prior to system access.
• Employees may gain access to critical systems before verification is complete.

Recommended Remediation Strategy:

1. Implement Formal Background Checks: Conduct criminal, employment, and reference verification for all new hires.
2. Integrate with Access Provisioning: Ensure access to critical systems is only granted after successful verification.
3. Document Verification Policies: Clearly define and enforce HR procedures for onboarding and access control.
4. Periodic Rechecks for Sensitive Roles: Conduct periodic verification for employees in high-risk positions.

Impact of Remediation:

• Mitigates insider threat risk and protects critical systems.
• Ensures compliance with industry regulations and internal policies.
• Builds trust with stakeholders that personnel risks are managed proactively.

7. Security Awareness Training (Residual Risk: High)

The organization lacks structured, mandatory security awareness training for all employees. Staff members are not consistently trained on identifying phishing attempts, handling sensitive data, using secure passwords, or following incident reporting procedures. In today’s threat landscape, human error is one of the most common attack vectors, and lack of awareness dramatically increases exposure to social engineering attacks, malware, and data leakage incidents.

Employees may also be unaware of how to report suspicious activity, leaving detection and mitigation entirely dependent on IT monitoring, which can delay response times. This gap exposes the organization to operational disruption, financial loss, and regulatory non-compliance, particularly in sectors requiring proof of security awareness training.

Cause:

• Security awareness programs are not mandatory or consistent across departments.
• Limited understanding among employees about evolving cyber threats.
• Lack of structured content covering critical areas like phishing, malware, and incident reporting.

Consequences and Security Implications:

• Increased Risk of Phishing and Social Engineering: Employees may inadvertently disclose sensitive credentials or click on malicious links.
• Data Loss or Compromise: Lack of awareness could lead to leakage of confidential business information or intellectual property.
• Operational Disruption: Compromised accounts could lead to unauthorized changes in systems or data, causing downtime or service disruption.
• Reputational and Regulatory Risk: Repeated incidents could damage client confidence and result in non-compliance with internal or external standards.

Existing Controls:

• Some email security solutions block obvious phishing attempts.
• SOC team monitors and responds to suspicious activity.

Gaps:

• Training is not conducted regularly for all staff.
• Social engineering simulations or awareness assessments are not implemented.
• Employees lack understanding of reporting mechanisms for security incidents.

Recommended Remediation Strategy:

1. Implement Annual Security Awareness Training: Mandatory sessions for all staff, covering phishing, password hygiene, malware, secure browsing, incident reporting, and remote work best practices.
2. Conduct Social Engineering Simulations: Periodically simulate phishing and other social engineering attacks to assess employee awareness and readiness.
3. Establish Clear Reporting Procedures: Train employees to report suspicious emails or activity immediately, integrating this with SOC processes.
4. Measure Effectiveness: Track participation, knowledge retention, and response to simulated attacks to continuously improve training content.
5. Tailor Training for Roles: Include specialized modules for management and high-privilege users.

Impact of Remediation:

• Reduces the likelihood of successful phishing attacks or social engineering exploitation.
• Enhances overall cyber hygiene across the organization.
• Improves the organization’s ability to detect and respond to insider or external threats.
• Supports regulatory compliance and promotes a culture of security awareness.

8. Specialized Cybersecurity Training (Residual Risk: High)

The assessment identified a lack of specialized, role-based cybersecurity training for technical personnel, including IT, SOC, application developers, and GRC staff. While general awareness training improves baseline knowledge, specialized roles require in-depth expertise to detect threats, analyse malware, implement security controls, and respond effectively to incidents.

Without this training, the organization risks misconfigured controls, delayed incident response, and incomplete threat mitigation, which can compound operational, reputational, and regulatory risks.

Cause:

• No formal program exists to provide ongoing technical training aligned with responsibilities.
• Staff may not have current knowledge of emerging threats, secure coding practices, or incident response workflows.
• Training and skills assessment are not integrated into performance evaluations.

Consequences and Security Implications:

• Ineffective Implementation of Controls: Security measures may be misconfigured, improperly applied, or not updated according to emerging threats.
• Delayed or Inadequate Incident Response: Without specialized knowledge, the IT and SOC teams may struggle to contain or remediate incidents efficiently.
• Increased Operational Risk: Lack of technical expertise can lead to prolonged downtime, mismanaged vulnerabilities, or non-compliance with standards.

Existing Controls:

• Technical interviews are conducted before onboarding new staff.
• Some ad hoc guidance is provided on secure practices.

Gaps:

• No structured, periodic specialized training aligned with staff roles.
• Limited advanced knowledge in malware analysis, SOC operations, digital forensics, or GRC management.
• No formal certification or competency assessment for critical roles.

Recommended Remediation Strategy:

1. Role-Based Training Programs: Provide targeted training for incident response teams, SOC analysts (L1–L3), GRC personnel, and application developers. Include areas such as malware analysis, secure coding, threat hunting, and forensic investigation.
2. Professional Certifications: Encourage or mandate certifications like SANS MGT, CISA, CISM, or CISSP for relevant roles.
3. Periodic Skills Assessment: Regularly test staff knowledge and ability to apply training in simulated scenarios.
4. Integration into Performance Management: Link training completion and demonstrated competency to performance evaluations and promotion criteria.
5. Continuous Updates: Update training materials regularly to reflect emerging threats, technology changes, and industry best practices.

Impact of Remediation:

• Increases the technical maturity and readiness of IT and cybersecurity teams.
• Reduces the likelihood of misconfigurations, delayed incident response, or unmanaged vulnerabilities.
• Ensures that critical systems and data are protected according to best practices and regulatory requirements.
• Supports the development of a highly skilled cybersecurity workforce, reducing reliance on external support.

9. Physical Access / Material Gate Controls (Residual Risk: High)

The assessment identified inadequate physical security controls at main access points, particularly regarding laptops, removable media, and other materials. Devices or materials entering without inspection pose a risk of malware introduction, unauthorized access, or data exfiltration.

This gap also reflects a weak integration between physical security and IT security, meaning malicious actors could exploit human or procedural weaknesses to compromise critical IT infrastructure. In sectors with sensitive operations, this represents both operational and reputational risk.

Cause:

• Gate security personnel lack a standardized, documented process for inspecting laptops, removable media, and other materials.
• There is no integration with IT systems to enforce approval for device connections.
• Awareness of physical security risks among staff and contractors is limited.

Consequences and Security Implications:

• Network Compromise Risk: Unauthorized devices could connect to the corporate network, spreading malware or creating backdoors.
• Data Exfiltration: Sensitive data or proprietary information may be removed without detection.
• Operational and Reputational Risk: Breaches resulting from inadequate physical controls can lead to operational disruption, financial loss, or reputational damage.

Existing Controls:

• External laptops are prohibited from connecting directly to the network without approvals.
• SOC team monitors network traffic for anomalies.

Gaps:

• Gate checks are inconsistent, manual, and lack formal documentation.
• No mandatory verification of materials being brought in or out.
• Limited coordination between physical security and IT security teams.

Recommended Remediation Strategy:

1. Enforce Mandatory Gate Checks: Ensure all personnel and visitors undergo consistent checks for devices, storage media, and other materials.
2. Verify Material Gate Passes: Establish a process to validate approvals and maintain records of materials entering and leaving the premises.
3. Staff Awareness Training: Train security personnel on the importance of physical security controls and detection of potential threats.
4. Integrate with IT Security Controls: Implement policies to prevent unapproved devices from connecting to the corporate network.
5. Periodic Audits: Conduct audits of gate security processes to identify gaps and improve compliance.

Impact of Remediation:

• Significantly reduces the risk of malware introduction and unauthorized data exfiltration.
• Ensures compliance with internal security policies and physical security standards.
• Enhances overall cybersecurity posture by bridging physical and IT security measures.
• Supports operational continuity and protects critical information assets from physical threats.

Medium and Low-Risk Findings Summary

In addition to the high-risk issues identified, the assessment highlighted several medium and low-risk findings. While these findings do not pose an immediate or critical threat to the organization, they represent control gaps and process weaknesses that could increase exposure over time if not addressed. In complex IT environments, the accumulation of such gaps can weaken overall security maturity and create pathways for more severe incidents.

Medium Findings

1. Mobile Device Management (MDM) Monitoring

Residual Risk: Medium

Mobile devices accessing corporate email and Microsoft 365 services are enrolled in an existing MDM solution, and baseline security policies are enforced. However, MDM security event logs are not integrated with the centralized SIEM platform, and monitoring of mobile-related security events is limited. This restricts visibility into device-level activities such as policy violations, unauthorized enrolments, or malware-related events.

Impact:
Without centralized monitoring, potentially suspicious activity on mobile devices may go undetected or identified later than necessary. While SOC response capabilities exist, delayed detection reduces the effectiveness of proactive threat management and increases reliance on reactive controls.

Recommendations:
Integrate MDM event logs with the SIEM platform, identify critical mobile security events for monitoring, and establish routine review processes to enhance detection and response capabilities.

2. Access Control List (ACL) Review

Residual Risk: Medium

The organization performs access revocation during employee offboarding and conducts access reviews on an annual basis. However, there is no centralized, continuously maintained Access Control List (ACL) that reflects real-time user access across all systems and applications. Changes resulting from internal role transitions, departmental transfers, or temporary assignments are not always reconciled promptly across platforms. This results in fragmented visibility into who has access to what, particularly in non-core or legacy systems.

Impact:
The absence of a centralized ACL increases the likelihood that users retain excessive or outdated access privileges beyond business necessity. While SOC monitoring may detect malicious activity, access-related risks may persist silently, increasing exposure to unauthorized data access or accidental misuse. Over time, this weakens identity governance and audit readiness.

Recommendations:
Establish a centralized ACL covering all systems and applications, and perform monthly access reconciliation with business owners. Implement identity and access management (IAM) tooling to automate user lifecycle management, role-based access enforcement, and access review workflows.

3. Default System and Server Configurations

Residual Risk: Medium

Server and system configurations are reviewed annually by an external security vendor. Between these assessments, systems may continue operating with default or non-hardened configurations, particularly after upgrades, patches, or new deployments. There is no formal internal process to verify that security baselines remain enforced throughout the year.

Impact:
Default configurations often expose unnecessary services, ports, or insecure settings that increase the attack surface. This creates a window of opportunity for attackers to exploit known weaknesses before the next formal review. While incident response capabilities exist, reliance on detection rather than prevention increases operational risk.

Recommendations:
Define and enforce hardened configuration baselines aligned with industry best practices. Conduct periodic internal configuration reviews (monthly or quarterly) and validate compliance after system changes or updates.

4. Application Single Sign-On (SSO) Coverage

Residual Risk: Medium

Several applications are not integrated with Active Directory and do not leverage Single Sign-On (SSO) for authentication. Users must manage separate credentials for these applications, increasing dependency on manual password handling. Although a password policy exists, credential management remains decentralized.

Impact:
Decentralized authentication increases the likelihood of weak password practices, credential reuse, and insecure storage. It also limits centralized visibility into authentication activity, making it harder to detect compromised accounts or enforce consistent access controls across applications.

Recommendations:
Extend SSO integration to all applicable applications and centralize authentication through Active Directory or an IAM platform. This will reduce credential-related risk while improving access governance and monitoring.

5. Patch Management Process

Residual Risk: Medium

Patches are applied based on vendor notifications, and updates are deployed when available. However, the patch management process lacks centralized tracking and automation, making it difficult to verify patch status consistently across all systems and applications. Patch deployment timelines may vary depending on system ownership.

Impact:
Known vulnerabilities may remain unpatched for longer periods, increasing exposure to exploitation. The lack of centralized visibility also limits management’s ability to assess patch compliance and risk exposure across the environment.

Recommendations:
Implement a centralized patch management solution to automate deployment, track patch status, and generate compliance reports. Establish defined patch timelines based on system criticality.

6. Security Assessments of Communication Systems

Residual Risk: Medium

Communication systems such as radio, radar, public address systems, and NDB/OTN platforms are not consistently included in formal vulnerability or configuration assessments. These systems are often operationally critical but may fall outside traditional IT security review scopes.

Impact:
Unassessed communication systems may contain unknown vulnerabilities that could be exploited to disrupt operations or intercept sensitive communications. The lack of testing introduces blind spots in the organization’s security posture.

Recommendations:
Include all communication systems in the annual security assessment scope. Perform vulnerability assessments and configuration reviews to identify and remediate weaknesses.

7. Change Management Consistency

Residual Risk: Medium

A change management procedure exists, and changes are approved and tested for select systems. However, the process is not consistently applied across all departments, applications, and infrastructure components, and policy updates are not performed regularly.

Impact:
Inconsistent change control increases the risk of unplanned outages, configuration errors, and service disruptions. While backups exist, recovery does not eliminate the operational and reputational impact of system downtime.

Recommendations:
Update and enforce a centralized change management policy applicable to all systems and teams. Ensure all changes are formally approved, tested, and documented prior to production deployment.

8. Laptop and Material Gate Pass Controls

Residual Risk: Medium

Physical security controls exist at facility entry points; however, checks for laptops and materials are inconsistently enforced by security personnel. Gate pass verification procedures are not uniformly applied across all entry points.

Impact:
Unauthorized devices entering the premises could be used to introduce malware, establish rogue wireless connections, or access internal networks. While network-level controls exist, physical access weaknesses increase overall security exposure.

Recommendations:
Standardize gate pass verification procedures and train security staff to enforce them consistently. Periodically audit physical access controls to ensure compliance.

Low Findings

1. Incident Reporting Mechanism

Residual Risk: Low

The organization has an established incident response process, and incidents can be reported via the helpdesk. However, the incident management procedure does not clearly define a dedicated communication channel (such as a security incident email address) for reporting cybersecurity incidents.

Impact:
This may result in minor delays or confusion during incident reporting, particularly for non-technical staff. Despite this, SOC and helpdesk processes provide sufficient coverage to prevent significant impact.

Recommendations:
Update the incident management procedure to include a clearly defined reporting channel and communicate it to all employees through awareness initiatives.

Remediation Strategy

The remediation strategy developed as part of this engagement was designed to address identified risks in a structured, prioritized, and sustainable manner, while taking into account the organization’s operational constraints and business criticality. Rather than recommending isolated technical fixes, the strategy focused on strengthening governance, process consistency, and control effectiveness across the IT environment.

Remediation actions were aligned to the assessed residual risk levels, with priority given to high-risk findings that posed the greatest threat to business continuity, regulatory compliance, and operational resilience.

1. Immediate Remediation Actions (High-Risk Findings)

High-risk findings required prompt attention due to their potential to cause significant operational disruption, data exposure, or prolonged service unavailability. Immediate remediation actions were defined to reduce exposure in the short term while longer-term improvements were planned.

Key remediation measures included:

• Formalizing governance and ownership for critical security processes such as Business Impact Analysis (BIA), access management, incident response, and vulnerability management. Clear accountability was established to ensure controls are consistently applied and maintained.
• Closing control gaps in areas where policies existed but were not fully implemented or enforced, including access reviews, change management, and system hardening.
• Strengthening preventative controls to reduce reliance on detection and response mechanisms, particularly in areas where risks could be mitigated through configuration, segmentation, or process improvements.
• Addressing systemic weaknesses identified across multiple findings, such as inconsistent documentation, fragmented oversight, and lack of centralized visibility.

These actions were intended to stabilize the organization’s risk posture and reduce the likelihood of high-impact incidents while more comprehensive improvements were implemented.

2. Short- to Medium-Term Improvements (Medium-Risk Findings)

Medium-risk findings were addressed through targeted enhancements aimed at improving consistency, coverage, and maturity across the IT environment. While these risks did not require immediate corrective action, they represented areas where weaknesses could escalate if left unaddressed.

Recommended remediation initiatives included:

• Standardizing processes such as patch management, change control, and access provisioning to ensure uniform application across all systems and departments.
• Expanding security coverage to systems and environments that were partially assessed or excluded from regular reviews, including communication systems and supporting platforms.
• Improving control integration, such as extending Single Sign-On (SSO) and centralized authentication to reduce credential-related risks and enhance monitoring capabilities.
• Enhancing internal oversight through periodic internal reviews and management reporting to complement external assessments.

These improvements were designed to strengthen operational discipline, reduce dependency on manual processes, and improve overall control effectiveness.

3. Long-Term Security Maturity Enhancements

In addition to addressing specific findings, the remediation strategy emphasized longer-term initiatives designed to improve the organization’s overall cybersecurity and IT risk maturity.

These initiatives focused on:

• Embedding risk management into business-as-usual operations, ensuring that risk assessments, access reviews, and control validations are conducted regularly rather than on an ad-hoc basis.
• Enhancing documentation and reporting, enabling leadership to maintain ongoing visibility into risk trends, control effectiveness, and remediation progress.
• Aligning governance structures with recognized standards such as ISO/IEC 27001:2022, NIST CSF 2.0, and NCA ECC-2 to support regulatory readiness and continuous improvement.
• Strengthening cross-functional collaboration between IT, security, operations, and business teams to ensure shared ownership of risk and remediation outcomes.

These actions support a transition from reactive risk management to a proactive, structured IT risk management model.

4. Prioritization and Implementation Approach

All remediation activities were prioritized based on:

• Residual risk rating
• Potential business and operational impact
• Ease of Exploitation
• Dependency on other systems or processes

This ensured that remediation efforts were sequenced logically, avoided unnecessary disruption, and delivered measurable risk reduction over time. Where appropriate, remediation actions were grouped into phased implementation plans consistent with business priorities, allowing the organization to balance security improvements with operational demands.

5. Ongoing Monitoring and Validation

To ensure remediation efforts remained effective, the strategy emphasized the importance of continuous monitoring and periodic reassessment. Implemented fixes should be validated through targeted re-testing to confirm that vulnerabilities were fully mitigated and that no new exposures were introduced.

As part of Real Secure IT’s remediation support approach, validation and follow-up activities are typically conducted within 1 to 3 business days for high-risk findings, ensuring that critical exposures are addressed and confirmed promptly. Medium and low-risk findings are generally reviewed and validated over a 1 to 2-week period, providing adequate time for implementation without slowing overall progress in reducing risk.

By adopting this approach, the organization was positioned to maintain an improved security posture over time rather than treating remediation as a one-time exercise.

Conclusion

The IT Risk Posture Discovery Assessment provided the organization with a clear and comprehensive understanding of its current IT and cybersecurity risk landscape. By evaluating critical systems, applications, and supporting processes through a structured, risk-based lens, the engagement moved beyond isolated control reviews and delivered meaningful insight into how technology risks impact business operations and resilience.

The assessment identified several high-risk areas requiring immediate attention, alongside medium- and low-risk issues that, if left unaddressed, could progressively weaken the organization’s security posture. Importantly, the findings highlighted not only technical gaps, but also systemic challenges related to governance, process consistency, and risk prioritization. Addressing these issues enables the organization to reduce exposure to operational disruption, data loss, and regulatory non-compliance.

The remediation planning translated assessment findings into clear, prioritized actions that could be implemented without disrupting day-to-day operations. By sequencing remediation activities and validating fixes within defined timeframes, the organization was able to address critical risks promptly while steadily improving weaker areas over time.

Overall, the engagement strengthened the organization’s ability to understand, manage, and respond to IT and cybersecurity risks in a controlled and informed manner. By adopting a proactive, risk-driven approach supported by recognized standards and ongoing validation, the organization is better positioned to maintain operational resilience, support business continuity, and adapt to an evolving threat landscape.

As part of the engagement, Real Secure IT delivered a detailed IT Risk Posture Discovery Assessment report outlining identified risks, underlying causes, and clearly prioritized remediation actions across people, processes, and technology domains. A dedicated management presentation was also conducted with senior stakeholders to highlight key findings, high-risk areas, and strategic recommendations, enabling leadership to make informed decisions and align remediation efforts with business priorities.